AR20-239A: MAR-10301706-1.v1 – North Korean Remote Access Tool: ECCENTRICBANDWAGON

Original release date: August 26, 2020

Description

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as ECCENTRICBANDWAGON. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This report looks at malware samples known as ECCENTRICBANDWAGON. This family of malware is used as a reconnaissance tool. The samples in this report are used for keylogging and screen capture functionality. The samples are very similar, but differ slightly in the location that they store the key logs and screenshots. Some variants have RC4 encrypted strings within the executable and conduct a simple, ineffective cleanup, whereas others do not.

For a downloadable copy of IOCs, see MAR-10301706-1.v1.stix.

Submitted Files (4)

32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8 (PSLogger .dll)

9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e (PSLogger .dll)

c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec (PSLogger .dll)

efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e (PSLogger .dll)

Findings

efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan

Details
Name PSLogger .dll
Size 138240 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 d45931632ed9e11476325189ccb6b530
SHA1 081d5bd155916f8a7236c1ea2148513c0c2c9a33
SHA256 efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e
SHA512 fd1b7ea95f66a660e9183c22755ac7d741823ba45a009bf9929546213308f89fd9ce8fcc2e70b56e427f0daa1b0965817d45dd9c2f5598404bc79c50afc2f818
ssdeep 3072:t+N02CVLOJdCPQhVNRTzcb/YrgHdnG6ioaa5IR:sO2qO3CPkRTz8YrgHdGBoa1
Entropy 6.096739
Antivirus
Ahnlab Trojan/Win64.Agent
Antiy Trojan[Spy]/Win64.Agent
Avira TR/Spy.Agent.ftmjo
BitDefender Trojan.GenericKD.40337042
Cyren W64/Trojan.WFEO-4014
ESET a variant of Win64/Spy.Agent.AP trojan
Emsisoft Trojan.GenericKD.40337042 (B)
Filseclab W64.Spy.Agent.AP.feaw
Ikarus Trojan-Spy.Win64.Agent
K7 Spyware ( 00538f7c1 )
Lavasoft Trojan.GenericKD.40337042
McAfee RDN/Generic PWS.nq
Microsoft Security Essentials Trojan:Win32/Tiggre!plock
NANOAV Trojan.Win64.Mlw.fgbvfi
NetGate Trojan.Win32.Malware
Sophos Troj/Spy-AUK
Symantec Trojan.Crobaruko
Systweak malware.agent
TrendMicro TSPY64_.F7315F7E
TrendMicro House Call TSPY64_.F7315F7E
Vir.IT eXplorer Backdoor.Win32.Lazarus.BGM
VirusBlokAda TrojanSpy.Win64.Agent
Zillya! Trojan.Agent.Win64.2215
YARA Rules
  • rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r1.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
           Family = “ECCENTRICBANDWAGON”
           Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
           MD5_1 = “d45931632ed9e11476325189ccb6b530”
           SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
           MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
           SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
           MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
           SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
           MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
           SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
       strings:
           $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
           $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
           $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
           $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
           $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
       condition:
           any of them
    }
ssdeep Matches
100 32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8
PE Metadata
Compile Date 2018-04-27 22:53:06-04:00
Import Hash f0faa229b086ea5053b4268855f0c8ba
PE Sections
MD5 Name Raw Size Entropy
09745305cbad67b17346f0f6dba1e700 header 1024 2.729080
5c2242b56a31d64b6ce82671d97a82a4 .text 92160 6.415763
0d022eff24bc601d97d2088b4179bd18 .rdata 31232 4.934652
578e5078ccb878f1aa9e309b4cfc2be5 .data 6144 2.115729
09924946b47ef078f7e9af4f4fcb59dc .pdata 5632 4.803615
7ead0113095bc6cb3b2d82f05fda25f3 .rsrc 512 5.115767
7937397e0a31cdc87f5b79074825e18e .reloc 1536 2.931043
Description

This file is a 64-bit dynamic link library (DLL). This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin Log Files–
1. Keylog: %temp%GoogleChromechromeupdate_pk
2. Screenshots: %temp%GoogleChromechromeupdate_ps_<YYYMMDD>_<HHMMSS>_<sss>_<ThreadID>
3. Log intervals: C:ProgramData2.dat
–End Log Files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturespywaretrojan

Details
Name PSLogger .dll
Size 138243 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 acd15f4393e96fe5eb920727dc083aed
SHA1 c92529097cad8996f3a3c8eb34b56273c29bdce5
SHA256 32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8
SHA512 82a946c2d0c9fffdd23d8e6b34028ac1b0368d4fd78302268aa4d954bead8a82ea15873a28d69946dceaf80fcafd0c52aeb59f47df5a029f77072fa1bc8e0fae
ssdeep 3072:t+N02CVLOJdCPQhVNRTzcb/YrgHdnG6ioaa5IR:sO2qO3CPkRTz8YrgHdGBoa1
Entropy 6.096652
Antivirus
Ahnlab Trojan/Win64.Agent
Antiy Trojan[Spy]/Win64.Agent
Avira TR/Spy.Agent.ftmjo
BitDefender Trojan.GenericKD.40337042
Comodo Malware
Cyren W64/Trojan.WFEO-4014
ESET a variant of Win64/Spy.Agent.AP trojan
Emsisoft Trojan.GenericKD.40337042 (B)
Ikarus Trojan-Spy.Win64.Agent
K7 Spyware ( 00538f7c1 )
Lavasoft Trojan.GenericKD.40337042
Microsoft Security Essentials Trojan:Win32/Tiggre!plock
NANOAV Trojan.Win64.Mlw.fgbtfv
Symantec Trojan.Crobaruko
Systweak malware.agent
Vir.IT eXplorer Backdoor.Win32.Lazarus.BGM
VirusBlokAda TrojanSpy.Win64.Agent
Zillya! Trojan.Agent.Win64.2215
YARA Rules
  • rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r1.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
           Family = “ECCENTRICBANDWAGON”
           Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
           MD5_1 = “d45931632ed9e11476325189ccb6b530”
           SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
           MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
           SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
           MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
           SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
           MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
           SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
       strings:
           $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
           $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
           $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
           $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
           $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
       condition:
           any of them
    }
ssdeep Matches
100 efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e
PE Metadata
Compile Date 2018-04-27 22:53:06-04:00
Import Hash f0faa229b086ea5053b4268855f0c8ba
PE Sections
MD5 Name Raw Size Entropy
09745305cbad67b17346f0f6dba1e700 header 1024 2.729080
5c2242b56a31d64b6ce82671d97a82a4 .text 92160 6.415763
0d022eff24bc601d97d2088b4179bd18 .rdata 31232 4.934652
578e5078ccb878f1aa9e309b4cfc2be5 .data 6144 2.115729
09924946b47ef078f7e9af4f4fcb59dc .pdata 5632 4.803615
7ead0113095bc6cb3b2d82f05fda25f3 .rsrc 512 5.115767
7937397e0a31cdc87f5b79074825e18e .reloc 1536 2.931043
Description

This file is a 64-bit DLL. This sample and “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e” are nearly identical with the only difference being that this sample has 3 extra NULL bytes at the end of the file.

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin Log Files–
1. Keylog: %temp%GoogleChromechromeupdate_pk
2. Screenshots: %temp%GoogleChromechromeupdate_ps_<YYYMMDD>_<HHMMSS>_<sss>_<ThreadID>
3. Log intervals: C:ProgramData2.dat
–End Log Files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

Tags

HIDDEN-COBRAbackdoorkeyloggerreconnaissancescreen-capturetrojan

Details
Name PSLogger .dll
Size 175104 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 34404a3fb9804977c6ab86cb991fb130
SHA1 b345e6fae155bfaf79c67b38cf488bb17d5be56d
SHA256 c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec
SHA512 01a8c8b66f6895387c6a347d02d00ea09619888f2727096a19d4c4ff50e6bf72367cbd41f09e89a57f7f3862efbb2db8177dbec086c4ce2aca3518d124575033
ssdeep 3072:AeO51bvWZElWhKQGhvNdx2GYZj+utNfBtZl7mGwwZWyNGVxBqu:A77beClWhKQG36UutNfB077Bqu
Entropy 6.491987
Antivirus
Ahnlab Malware/Gen.Generic
Antiy GrayWare/Win32.Presenoker
BitDefender Trojan.GenericKD.43188225
Cyren W32/Trojan.MZDN-2436
ESET a variant of Generik.HKZTFCG trojan
Emsisoft Trojan.GenericKD.43188225 (B)
Ikarus Trojan.SuspectCRC
K7 Trojan ( 005506c81 )
Lavasoft Trojan.GenericKD.43188225
NANOAV Trojan.Win32.KeyLogger.fnwztc
NetGate Malware.Generic
Symantec Hacktool.Keylogger
Vir.IT eXplorer Backdoor.Win32.Lazarus.BGM
VirusBlokAda TrojanSpy.Keylogger
Zillya! Trojan.Keylogger.Win32.9
YARA Rules
  • rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r1.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
           Family = “ECCENTRICBANDWAGON”
           Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
           MD5_1 = “d45931632ed9e11476325189ccb6b530”
           SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
           MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
           SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
           MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
           SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
           MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
           SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
       strings:
           $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
           $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
           $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
           $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
           $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
       condition:
           any of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2018-11-14 09:44:18-05:00
Import Hash a8623b2da60776df129ebe0430d48d85
PE Sections
MD5 Name Raw Size Entropy
37ecb293f01edad89fcee1ce48e4cde3 header 1024 2.949326
36fd9d805b7c591ab71eda922662e30a .text 124928 6.650973
1d3132305f18961b86c1fda0a2f4eea9 .rdata 38912 5.166660
9e17ac76df46fd523a11378398cf026f .data 3072 2.367308
bbee55723eaad8c7f73a5fa9bf2159d4 .gfids 512 2.275750
264e317304c9b21a342169b33c0a791a .rsrc 512 4.717679
a1ab3dce319437b49198eeff43f4d847 .reloc 6144 6.422499
Packers/Compilers/Cryptors
Microsoft Visual C++ ?.?
Description

This sample is nearly identical to “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e” with the exception that this sample will RC4 encrypt some of its strings and use different log files.

The following strings are RC4 encrypted with the key “key”:

–Begin RC4 encrypted strings–
Downloads
c:windowstempTMP0389A.tmp
c:windowstemptmp1105.tmp
[CLIPBOARD]
[/CLIPBOARD]
–End RC4 encrypted strings–

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin log files–
1. Keylog: %temp%Downloadstmp_<USERNAME>
2. Screenshots: %temp%Downloadstmp_<USERNAME>_<MMDD>_<HHMMSS>
3. Log intervals: c:windowstemptmp1105.tmp
–End log files–

The malware creates 3 threads to populate the log files listed above. Each one will continue to execute until a global kill variable is set to 1. This variable can only be set to 1 by calling an export called “Process” from within this DLL. When the export is called, the threads will return and the program will exit.

9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e

Tags

HIDDEN-COBRAkeyloggerreconnaissancescreen-capturespywaretrojan

Details
Name PSLogger .dll
Size 210944 bytes
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 3122b0130f5135b6f76fca99609d5cbe
SHA1 ce6bc34b887d60f6d416a05d5346504c54cff030
SHA256 9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e
SHA512 788c666efeb664c7691a958d15eac2b80d3d17241f5e7c131e5dec2f761bcb70950018c1f8a85fd6600eff0d0fab0ce31fbcd364d16b6ef8b54deb5e9c215f08
ssdeep 3072:6usGRlrmZ8LP/LqdmpWOY9Y9EbyBFWnqD5W3P4Tp31oItN7W0rVu6eRDP/fJkkj7:67GTjOdCWOKXbyCnCEQTp2CE0/gh2W
Entropy 6.246368
Antivirus
Ahnlab Trojan/Win64.Redbanc
Antiy Trojan[Banker]/Win32.Alreay
Avira TR/Spy.Agent.kdvkr
BitDefender Trojan.GenericKD.41368668
ESET a variant of Win64/Spy.Agent.BG trojan
Emsisoft Trojan.GenericKD.41368668 (B)
Ikarus Trojan-Spy.Keylogger.Lazarus
K7 Spyware ( 005501401 )
Lavasoft Trojan.GenericKD.41368668
McAfee RDN/Generic PWS.tf
NANOAV Trojan.Win64.Alreay.hoqvyj
Quick Heal Trojan.Alreay
Sophos Troj/Alreay-A
TACHYON Unknown-Type/Alreay.210944
Zillya! Trojan.Alreay.Win32.91
YARA Rules
  • rule CISA_3P_10301706_01 : HiddenCobra ECCENTRICBANDWAGON backdoor keylogger reconnaissance screencapture spyware trojan
    {
       meta:
           Author = “CISA Trusted Third Party”
           Incident = “10301706.r1.v1”
           Date = “2020-08-11”
           Actor = “Hidden Cobra”
           Category = “Backdoor Keylogger Reconnaissance Screen-Capture Spyware Trojan”
           Family = “ECCENTRICBANDWAGON”
           Description = “Detects strings in ECCENTRICBANDWAGON proxy tool”
           MD5_1 = “d45931632ed9e11476325189ccb6b530”
           SHA256_1 = “efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e”
           MD5_2 = “acd15f4393e96fe5eb920727dc083aed”
           SHA256_2 = “32a4de070ca005d35a88503717157b0dc3f2e8da76ffd618fca6563aec9c81f8”
           MD5_3 = “34404a3fb9804977c6ab86cb991fb130”
           SHA256_3 = “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec”
           MD5_4 = “3122b0130f5135b6f76fca99609d5cbe”
           SHA256_4 = “9ea5aa00e0a738b74066c61b1d35331170a9e0a84df1cc6cef58fd46a8ec5a2e”
       strings:
           $sn1 = { FB 19 9D 57 [1-6] 9A D1 D6 D1 [1-6] 42 9E D8 FD }
           $sn2 = { 4F 03 43 83 [1-6] 48 E0 1A 2E [1-6] 3B FD FD FD }
           $sn3 = { 68 56 68 9A [1-12] 4D E1 1F 25 [1-12] 3F 38 54 0F [1-12] 73 30 62 A1 [1-12] DB 39 BD 56 }
           $sn4 = “%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d” wide ascii nocase
           $sn5 = “c:\windows\temp\TMP0389A.tmp” wide ascii nocase
       condition:
           any of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2019-04-08 07:26:25-04:00
Import Hash b113cba285f3c4ed179422f54692f4e3
PE Sections
MD5 Name Raw Size Entropy
fd81e5f6ab156dcdba2e2b92826ca192 header 1024 3.015020
88ecd4fac45e45b294de415ca514a93c .text 137728 6.457660
af0dab081123c1ad835c86f134138e7f .rdata 57344 5.118317
e7c661026f7ecf701bbcbdd15ff2b825 .data 3584 2.244033
4b406030a4a3dcaea845c14124010691 .pdata 8192 5.172064
f623a10ca467aac404ec6fda8e4810d4 .gfids 512 2.000422
3695113543a23c53791caa70b4bd8874 .rsrc 512 4.724729
f9f31f1689409c8834b7f0c28d948a65 .reloc 2048 4.924204
Description

This sample is nearly identical to “c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec” with the exception that it RC4 encrypts some of its strings, uses different log files, and has a simple cleanup routine.

The following strings are RC4 encrypted with the key “key”:

–Begin RC4 encrypted strings–
TrendMicroUpdate
c:windowstempTMP0389A.tmp
c:windowstemptmp1105.tmp
[CLIPBOARD]
[/CLIPBOARD]
–End RC4 encrypted strings–

This malware uses 3 files that will be used to store the key logs, screen shots, and log intervals. The location of these logs can be found in C:windowstempTMP0389A.tmp.

–Begin log files–
1. Keylog: %temp%TrendMicroUpdateupdate_<USERNAME>
2. Screenshots: %temp%TrendMicroUpdateupdate_<MMDD>_<HHMMSSl>
3. Log Intervals: c:windowstemptmp1105.tmp
–End log files–

This malware creates 3 threads to populate the log files listed above. Each one will continue to execute until the file C:windowstemptmp0207 contains a zero in a particular location. At this point, the program will signal an exit to the other threads and begin a cleanup thread. The cleanup thread will delete C:windowstemptmp0207 and then call WinExec(cmd.exe /c taskkill /f /im explorer.exe). This will crash explorer.exe, which could potentially alert a user who was using the device at the time.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Revisions

  • August 26, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.